In the past six months Adobe Flash Player took the coveted top space as the most exploited application. From an exploitation point of view, the architecture of Adobe’s AVM has multiple flaws allowing attackers to craft ROP shellcode on the fly thus bypassing ASLR and DEP. This combined with evasion techniques described in this report makes a nasty combination, with practically every user vulnerable.

The reason that Flash exploits are so popular is because Flash advertisements are so prevalent. According to Ad Age, 84 percent of online ads are delivered through Flash, which makes it a green field for cyber attacks. Unfortunately, as is the case with so many industries, security has been an afterthought to the advertising industry, who had no financial motivation to develop a more secure delivery model.

There is no doubt that blocking Flash ads will improve security. Bromium research has written extensively about malicious advertising, which can be targeted to specific users of operating systems, browsers and plug-ins. Therefore, even though Chrome will be blocking Flash, malicious Flash ads will remain a viable attack vector for other browsers because they can be easily targeted.

Where does this leave organizations? They remain vulnerable to zero day attacks if they leave Flash enabled and unpatched. And yet, even when a patch emerges, a new set of challenges comes with it: do you race to deploy the newest patch? Or do you test to make sure it integrates with legacy systems?

Of course, the third option is to deploy threat isolation security solutions. This latest zero-day and others like it can be secured by isolating the browser in a micro-VM (such as Bromium vSentry). By isolating the threat, security and ops teams granted the grace period needed to test and deploy these critical patches.

A chain is only as strong as its weakest link. Today the weak link is Flash, tomorrow it will be something else. The internet today is a constantly changing and expanding chain made up of potentially weak links. Disabling flash is a good move, but in the end it’s just another reactive band aid. Unless a new approach to security is taken we will be back in the same position with a different link next week or next month.